Security pass secret to curl command in docker container
1 min readMay 4, 2021
For example you need to download some file from repository with authentication. Regular curl command is:
Dockerfile:
FROM debian:buster-slimRUN apt-get update && apt-get install -y curlRUN curl --user username:password --output filename.zip https://repository.example.com/filename.zip
But if you run this command inside Dockerfile and inside some CI pipeline you left your secrets in CI logs forever.
You can save your credentials in .netrc file and use this file in RUN step secure:
RUN --mount=type=secret,id=netrc curl --netrc-file /run/secrets/netrc https://repository.example.com/filename.zipTo use this feature use should use Docker BuildKit. And add experimental syntax support to Dockerfile. Add header to your dockerfile:
# syntax=docker/dockerfile:experimentalAnd compile all the lines to result dockerfile:
# syntax=docker/dockerfile:experimental
FROM debian:buster-slimRUN apt-get update && apt-get install -y curlRUN --mount=type=secret,id=netrc curl --netrc-file /run/secrets/netrc --output filename.zip https://repository.example.com/filename.zip
And start build with Buildkit.
DOCKER_BUILDKIT=1 docker build--secret id=netrc,src=/tmp/.netrc .